R2511-HP MSR Router Series Security Configuration Guide(V5)
224
IKEv2 configuration task list
Determine the following parameters prior to IKEv2 configuration:
• The strength of the algorithms for IKEv2 negotiation, namely the security protection level, including
the encryption algorithms, integrity protection algorithms, PRF algorithms, and DH groups. Different
algorithms provide different levels of protection. A stronger algorithm means better resistance to
decryption of protected data but requires more resources. Generally, the longer the key, the
stronger the algorithm.
• The local and remote identity authentication methods. To use the pre-shared key authentication
method, you must determine the pre-shared key. To use the RSA digital signature authentication
method, you must determine the PKI domain for the local end to use. For information about
configuring PKI, see "Configuring PKI."
• The pre-shared key or the PKI domain of the certificate. For more information about PKI
configuration, see "Configuring PKI."
To configure IKEv2:
Task Remarks
Configuring global IKEv2
parameters
Configuring the cookie challenging
function
Optional.
Effective only on an IKEv2
responder.
Configuring the IKEv2 DPD function Optional.
Setting limits on the number of IKEv2
SAs
Optional.
Configuring an address pool for
assigning addresses to initiators
Optional.
Configuring an IKEv2 proposal Optional.
Configuring an IKEv2 policy Optional.
Configuring an IKEv2 keyring
Required when either end or both
ends use the pre-shared key
authentication method.
Configuring an IKEv2 profile Required.
Configuring global IKEv2 parameters
Configuring the cookie challenging function
Enable the cookie challenging function on intended responders to protect them against DoS attacks that
use a large number of source IP addresses to forge IKE_SA_INIT requests.
To configure the cookie challenging function:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A